b'NEA-OIG Report\nNo. R-13-02\n\x0c                                   National Endowment for the Arts\n                                                   Evaluation Report\n\n\n                                                  Table of Contents\n\nResults of Evaluation .................................................................................... 1\n\nProblem Areas............................................................................................... 2\n   Problem Area 1: The agency did not measure patching status. ..................................... 2\n\n   Problem Area 2: The agency did not have an automated process to fully patch all\n   systems............................................................................................................................ 3\n\nExit Conference............................................................................................. 4\n\nObjective, Scope and Methodology............................................................. 4\n\n\n\n\n                                                                -i-\n\x0c                        National Endowment for the Arts\n                                   Evaluation Report\n\n\n                              Results of Evaluation\nThe purpose of this evaluation was to answer the question:\n\n       Has the NEA implemented an effective, comprehensive system maintaining patch\n       levels?\n\nNo. The NEA has not implemented an effective, comprehensive system maintaining\npatch levels.\n\nThe process for patching NEA systems is ineffective and exposes the Agency\xe2\x80\x99s\ninformation and systems to significant risk. On November 15, 2012 we reviewed the\npatch status of 194 machines and found that:\n\n   x   All but four systems were missing High or Critical Severity patches\x7fa High\n       Severity patch is a software change designed to prevent intruders from being able\n       to run code of their choice on the network or elevating their privileges to take\n       control of agency systems.\n   x   11,176 High or Critical Severity patches were missing on agency systems.\n   x   An average of 58 High or Critical Severity patches were missing from each\n       system.\n   x   43 systems (22%) were missing patches that had been released one year ago or\n       prior.\n   x   Nine systems (5%) were missing patches released in 2007 or earlier.\n   x   An average of 29 High or Critical severity patches for third-party (non-Microsoft)\n       software were missing from each system.\n\nWhen software vendors identify problems with their applications or operating systems,\nthey create and release updates to the software to resolves these issues. These updates are\nknown as \xe2\x80\x98patches.\xe2\x80\x99 These patches are made available to the public, who install these\npatches to rectify the problems they are intended to solve.\n\nThe majority of patches released today are designed to correct previously-identified\nsecurity flaws. Systems without these patches are vulnerable to these exploits, which\ncould result in an intrusion by malicious individuals. Vulnerabilities defined as High or\nCritical severity identify those with the highest risk to the systems in question. Once a\npatch is released, the risk increases for unpatched systems, because it has been publically\nannounced that a flaw is present, and the software patch can be analyzed to precisely\nidentify the nature of the security flaw. Malicious parties use this information to create\nnew exploits if they aren\xe2\x80\x99t available already.\n\nIn order to manage and reduce the risk to the organization, those responsible for\nmanaging its systems must continually track the patched status of those systems, and\n\n\n                                           -1-\n\x0c                        National Endowment for the Arts\n                                   Evaluation Report\n\n\ndeploy patches as soon as they are made available. If systems are allowed to remain\nunpatched, the ease with which they can be attacked can nullify all other security\nmeasures in place at the organization. Patching systems is a primary means of securing\nsystems, and despite potential staff and marketing assertions to the contrary, there are no\neffective substitutes for this basic security measure.\n\nThe patching process for NEA systems was ineffective because the agency did not\nmeasure its patch status, and it did not have an automated process to fully patch all\nsystems. These problem areas will be discussed in detail in the rest of this report.\n\n\n\n                                   Problem Areas\n\n                                   Problem Area 1:\n                      The agency did not measure patching status.\n\n\nThe agency did not measure the patching status of its systems. This lack of monitoring\nwas partially responsible for the fact that systems were not patched. Our analysis of 194\nworkstations determined that High or Critical severity patches were missing from 190, or\n98% of all systems tested. On average, each system was missing 58 High or Critical\nseverity patches.\n\nEffective management is only possible with consistent measurement. Because the agency\ndid not monitor the patch status of its systems, it could not manage the patching process,\nor by extension, the security of its network.\n\nSystems with missing patches expose more than just a single computer to risk, but instead\nthey expose all data and systems on the network to risk. An exploited system serves as\nthe entry point into the network for an attacker. Once a foothold is gained, attackers can\nexplore and potentially exploit all systems on that network. One weak link effectively\ncircumvents the other security applied to the network perimeter or the application itself.\n\nIn order to execute the mission of the agency, senior management must remain informed\nof risks to their underlying systems. Because they were not regularly informed with an\naccurate picture of the agency\xe2\x80\x99s information security status, they were not aware of the\nrisks to the confidentiality, integrity, and availability of agency data and systems.\n\nRecommendation 1: Implement a specialized software tool to scan the patch status of all\nagency equipment on a weekly or greater basis. This tool should be distinct from the tool\nused to patch systems.\n\n\n                                            -2-\n\x0c                        National Endowment for the Arts\n                                  Evaluation Report\n\n\nRecommendation 2: Report patching status monthly to agency executive management.\n\n\n\n\n                                 Problem Area 2:\n      The agency did not have an automated process to fully patch all systems..\n\n\nAs of November 15, 2012, the agency was missing 11,176 High or Critical patches on its\nsystems. Due to the sheer number of patches released and the labor required to manually\napply them, it is impossible to rely on manual processes to apply patches in a timely\nmanner, and any process that is unable to automatically patch third-party software in\ninsufficient to protect the agency\xe2\x80\x99s data. While Microsoft provides robust, free tools to\napply patches to its own software, on its own this software is unable to provide automated\npatching for third-party software. Third-party software includes common items such as\nMozilla Firefox, Adobe Acrobat, and Oracle Java. Of the 194 systems analyzed, 182\nwere missing High or Critical patches for third-party software. On average, each system\nwas missing 29 patches for third-party software. Attacks of vulnerable third-party\nsoftware are one of the primary vectors of intrusion.\n\nHigh or Critical severity patches for all software should be applied agency-wide within\ndays of release by their manufacturer. To achieve the best protection, these patches\nshould be installed for most systems on the same day a patch is released, because exploits\nare generated quickly from the information provided as part of the patch. Any delay\nbeyond the release date of a patch increases the risk exposure. For this reason, Microsoft\npreconfigures Windows operating systems to download and install available patches\nevery night.\n\nAgency staff should be protected from malicious content encountered while browsing the\nInternet or received via email. Unpatched systems are missing this basic level of\nprotection, and greatly increase the risk of system-wide compromise. Even new builds of\nsystems will be missing patches, and should be fully patched before being brought online.\n\nThe agency\xe2\x80\x99s current patching method demands significant resources because it is not\nfully automated. Because it does not immediately apply all necessary High or Critical\nseverity patches, the agency is operating under a high level of risk. As a result, the\nagency does not have the most basic level defense to secure its systems and its network.\nThe current patching process does not effectively protect the agency\xe2\x80\x99s information or\nsystems.\n\nRecommendation 3: Implement a specialized software tool to automatically patch all\nagency systems.\n\n\n                                           -3-\n\x0c                        National Endowment for the Arts\n                                  Evaluation Report\n\n\nRecommendation 4: Patch all vulnerable software on all systems.\n\nRecommendation 5: Apply all High or Critical severity patches on the day of release.\n\nRecommendation 6: Fully patch all new systems as part of the build process.\n\n\n\n                                  Exit Conference\nAn exit conference was held with ITM officials on February 11, 2013. ITM officials\nconcurred with our findings and recommendations.\n\n\n\n                    Objective, Scope and Methodology\nObjective:\n       Has the NEA implemented an effective, comprehensive system maintaining patch\n       levels?\n\nScope:\n       The scope of this evaluation included all servers, workstations, and other network\n       equipment providing services and security on NEA network.\n\n\nMethodology:\n1. Use Nessus with current definitions to perform an authenticated scan of all\n   infrastructure and endpoints related to the NEA network.\n2. Identify systems that cannot be scanned due to technical or policy issues, and if\n   possible, identify a means of scanning these systems.\n3. Analyze vulnerabilities to remove false positives, and classify findings to identify\n   trends and the causes of unpatched vulnerabilities.\n\n\n\n\n                                           -4-\n\x0c\x0c'